Then it would be a grave error to issue an IP cert without active insight into BGP. (Or it doesn't matter which chain you have.. But calling a website from a sampling of locations can't be a more correct answer.)
> why we are wasting so much time on utterly wrong TOFU authorization?
If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar
They retire challenges that were once acceptable. What happens if they require a real chain of trust? They retire http and domain names keep working on DNS/DNSSEC.
Making IP with only http challenges is going backwards.
Then it would be a grave error to issue an IP cert without active insight into BGP. (Or it doesn't matter which chain you have.. But calling a website from a sampling of locations can't be a more correct answer.)
>it would be a grave error to issue an IP cert without active insight into BGP
Why? Even regular certs are handed out via IP address.
> why we are wasting so much time on utterly wrong TOFU authorization? If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar
They retire challenges that were once acceptable. What happens if they require a real chain of trust? They retire http and domain names keep working on DNS/DNSSEC.
Making IP with only http challenges is going backwards.